Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
24-09-2024 11:48
General
-
Target
Svchost.exe
-
Size
45KB
-
MD5
d7b665428dd5924505511bd5c0f79e28
-
SHA1
ef1480132b1bae773ef2ddede22e0f1ae7786625
-
SHA256
c69792d8a8ef30f50d118949aee702a01be0cafb4e9f6c9b544a8bb193ea5994
-
SHA512
9c0918269b6c8ed93cff186ae13fc0bb288be64381f6465597c619a5a894e76cf5af45c46b7a1aea3c0acd184fc4f74cc2e2dc2b4dc9cedae6643b8ad74f9521
-
SSDEEP
768:ldhO/poiiUcjlJInShYH9Xqk5nWEZ5SbTDaCuI7CPW5u:7w+jjgnSSH9XqcnW85SbTXuIm
Malware Config
Extracted
xenorat
zenofs.zapto.org
Svcchost
-
install_path
appdata
-
port
4444
-
startup_name
Windows Support
Signatures
-
Detect XenoRat Payload 2 IoCs
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Svchost.exe"C:\Users\Admin\AppData\Local\Temp\Svchost.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\Svchost.exe"C:\Users\Admin\AppData\Roaming\XenoManager\Svchost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Support" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2ECB.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4072,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dc9da360c13e549113fa679558d32557
SHA1c3edf7411c9ca91cf84ff5caee8617daab489d9c
SHA2560b86988e5abcb35b0a4b2c12b4a0a6875aecfb910d87ec8dbcaf0a7d6a039725
SHA51244645a3693177ab17be7d831b660be5f378e2930ccc23a4a8d3587ed8dd748fe2e65d47d90f0026f73be746a500a34b14bf3e93cc8edd62f71671cc4c58bee7a
-
Filesize
45KB
MD5d7b665428dd5924505511bd5c0f79e28
SHA1ef1480132b1bae773ef2ddede22e0f1ae7786625
SHA256c69792d8a8ef30f50d118949aee702a01be0cafb4e9f6c9b544a8bb193ea5994
SHA5129c0918269b6c8ed93cff186ae13fc0bb288be64381f6465597c619a5a894e76cf5af45c46b7a1aea3c0acd184fc4f74cc2e2dc2b4dc9cedae6643b8ad74f9521
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB